Cybersecurity researchers have uncovered a crucial safety flaw in Securden Unified PAM that permits attackers to utterly bypass authentication mechanisms and acquire unauthorized entry to delicate credentials and system features.
The vulnerability, designated as CVE-2025-53118 with a CVSS rating of 9.4, represents certainly one of 4 severe safety points found within the privileged entry administration resolution that might allow full system compromise.
The authentication bypass vulnerability exploits a elementary flaw in how Securden Unified PAM handles session administration.
Attackers can navigate to the /thirdparty-access endpoint to mechanically obtain a securdensession cookie, which might then be leveraged to acquire CSRF tokens and securdenpost cookies by means of the /get_csrf_token URL.
This cookie-based authentication mechanism fails to correctly validate consumer authorization, as a substitute solely checking for the presence of those session tokens.
The invention emerged throughout steady pink teaming workouts carried out by means of Rapid7’s Vector Command service.
Rapid7 analysts recognized the vulnerabilities whereas performing routine safety assessments, shortly recognizing the extreme implications for organizations counting on the PAM resolution for credential administration and entry management.
Past the first authentication bypass, researchers uncovered three extra vulnerabilities that compound the safety danger.
These embrace an unauthenticated unrestricted file add flaw (CVE-2025-53119), a path traversal vulnerability in file add performance (CVE-2025-53120), and a shared SSH key infrastructure difficulty (CVE-2025-6737) that impacts Securden’s cloud gateway providers.
Exploitation Mechanism and Technical Evaluation
The authentication bypass vulnerability demonstrates notably refined assault vectors by means of its exploitation of backup performance.
As soon as attackers receive the required session tokens, they will entry the /configure_schedule endpoint to set off encrypted password backups with administrator privileges.
The assault leverages the SCHEDULE_ENCRYPTED_HTML_BACKUP kind to extract full credential databases, requiring solely {that a} superadmin account exists throughout the system.
Technical evaluation reveals that profitable exploitation requires eradicating the X-Requested-With header throughout authentication bypass requests, because the server returns errors when this header is current.
Attackers can specify customized backup areas, together with exterior SMB shares or the appliance’s static webroot folder, enabling direct obtain of encrypted credential information.
The backup filenames observe predictable patterns based mostly on backup timestamps, making them prone to brute-force discovery assaults.
The vulnerability’s influence extends past easy credential theft. When mixed with the file add vulnerabilities, attackers can obtain full distant code execution by overwriting system information like postgresBackup.bat with malicious PowerShell instructions.
This multi-stage assault chain transforms what initially seems as an authentication difficulty into full system compromise functionality.
CVE IDVulnerability NameCVSS ScoreImpactAffected VersionsCVE-2025-53118Authentication Bypass9.4Bypass authentication to entry backup features and steal passwords/secrets9.0.x by means of 11.3.1CVE-2025-53119Unauthenticated Unrestricted File Upload7.5Upload malicious binaries and scripts with out authentication9.0.x by means of 11.3.1CVE-2025-53120Path Traversal In File Upload9.4Remote code execution through path traversal in file uploads9.0.x by means of 11.3.1CVE-2025-6737Shared SSH Key and Cloud Infrastructure7.2Access gateway server with low privileges utilizing shared credentials9.0.x by means of 11.3.1
Securden has addressed these vulnerabilities in model 11.4.4, emphasizing the crucial significance of fast updates for all affected installations to stop potential exploitation of those severe safety flaws.
Enhance your SOC and assist your crew defend your enterprise with free top-notch risk intelligence: Request TI Lookup Premium Trial.
